From: Andy Allan <git@gravitystorm.co.uk>
Date: Fri, 9 Mar 2018 07:57:24 +0000 (+0800)
Subject: Merge branch 'pull/1765'
X-Git-Tag: live~3684
X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/0f5ad1f3cc5d82efef93d2d17809145c5f68f233?hp=5cfc163bc2d47c2a1c179127111e287eebbbda75

Merge branch 'pull/1765'
---

diff --git a/app/controllers/trace_controller.rb b/app/controllers/trace_controller.rb
index a720c5fff..ce2494001 100644
--- a/app/controllers/trace_controller.rb
+++ b/app/controllers/trace_controller.rb
@@ -186,13 +186,13 @@ class TraceController < ApplicationController
 
     if !trace.visible?
       head :not_found
-    elsif current_user.nil? || trace.user != current_user
+    elsif current_user.nil? || (trace.user != current_user && !current_user.administrator? && !current_user.moderator?)
       head :forbidden
     else
       trace.visible = false
       trace.save
       flash[:notice] = t "trace.delete.scheduled_for_deletion"
-      redirect_to :action => :list, :display_name => current_user.display_name
+      redirect_to :action => :list, :display_name => trace.user.display_name
     end
   rescue ActiveRecord::RecordNotFound
     head :not_found
diff --git a/app/views/trace/view.html.erb b/app/views/trace/view.html.erb
index 57cc39a08..351c69227 100644
--- a/app/views/trace/view.html.erb
+++ b/app/views/trace/view.html.erb
@@ -54,9 +54,11 @@
 
 <br /><br />
 
-<%= if_user(@trace.user) do %>
+<% if current_user && (current_user==@trace.user || current_user.administrator? || current_user.moderator?)%>
   <div class="buttons">
-    <%= button_to t('trace.view.edit_track'), :controller => 'trace', :action => 'edit', :id => @trace.id %>
+    <%= if_user(@trace.user) do %>
+      <%= button_to t('trace.view.edit_track'), :controller => 'trace', :action => 'edit', :id => @trace.id %>
+    <% end %>
     <%= button_to t('trace.view.delete_track'), :controller => 'trace', :action => 'delete', :id => @trace.id %>
   </div>
 <% end %>
diff --git a/test/controllers/trace_controller_test.rb b/test/controllers/trace_controller_test.rb
index 2dafa5394..23a2e5261 100644
--- a/test/controllers/trace_controller_test.rb
+++ b/test/controllers/trace_controller_test.rb
@@ -679,12 +679,22 @@ class TraceControllerTest < ActionController::TestCase
     post :delete, :params => { :display_name => deleted_trace_file.user.display_name, :id => deleted_trace_file.id }, :session => { :user => deleted_trace_file.user }
     assert_response :not_found
 
-    # Finally with a trace that we are allowed to delete
+    # Now with a trace that we are allowed to delete
     post :delete, :params => { :display_name => public_trace_file.user.display_name, :id => public_trace_file.id }, :session => { :user => public_trace_file.user }
     assert_response :redirect
     assert_redirected_to :action => :list, :display_name => public_trace_file.user.display_name
     trace = Trace.find(public_trace_file.id)
     assert_equal false, trace.visible
+
+    # Finally with a trace that is deleted by an admin
+    public_trace_file = create(:trace, :visibility => "public")
+    admin = create(:administrator_user)
+
+    post :delete, :params => { :display_name => public_trace_file.user.display_name, :id => public_trace_file.id }, :session => { :user => admin }
+    assert_response :redirect
+    assert_redirected_to :action => :list, :display_name => public_trace_file.user.display_name
+    trace = Trace.find(public_trace_file.id)
+    assert_equal false, trace.visible
   end
 
   # Check getting a specific trace through the api